CVE-2017-2840
An buffer overflow vulnerability exists in the ISO parsing functionality of EZB Systems UltraISO 9.6.6.3300. A specially crafted .ISO file can cause a vulnerability resulting in potential code execution. An attacker can provide a specific .ISO file to trigger this vulnerability.
https://www.ezbsystems.com/ultraiso
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
This vulnerability can be triggered by providing specially crafted .ISO file and opening it with UltraISO software.
.text:00455F6F push 2 ; maxlen
.text:00455F71 push offset aNm_0 ; "NM"
.text:00455F76 push [ebp+s1] ; s1
.text:00455F79 call _strncmp
.text:00455F7E add esp, 0Ch
.text:00455F81 test eax, eax
.text:00455F83 jnz short loc_455FD7
.text:00455F85 mov edx, [ebp+s1]
.text:00455F88 xor ecx, ecx
.text:00455F8A mov cl, [edx+2]
.text:00455F8D add ecx, 0FFFFFFFBh
.text:00455F90 push ecx ; maxlen
.text:00455F91 mov eax, [ebp+s1]
.text:00455F94 add eax, 5
.text:00455F97 push eax ; src
.text:00455F98 lea edx, [ebp+s]
.text:00455F9E push edx ; dest
.text:00455F9F call _strncpy
After the “NM” entry is located in the .ISO file UltraISO executes _strncpy function with maxlen argument calculated directly from the ISO header’s byte field NM_hdr.len - the length of the alternate name.
UltraISO assumes this field is always larger than 5 bytes however if attacker forces it to be less than that value the maxlen parameter for the _strncpy function will be extremely big (NM_hdr.len - 5, result is unsigned).
Later the memset function (inside the _strncpy function) is executed where the extremely big size parameter is used which leads to memory corruption.
FAULTING_IP:
UltraISO!PerfgrapFinalize+a0e83
0063d663 894724 mov dword ptr [edi+24h],eax
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000000000063d663 (UltraISO!PerfgrapFinalize+0x00000000000a0e83)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 00000000001a0000
Attempt to write to address 00000000001a0000
CONTEXT: 0000000000000000 -- (.cxr 0x0;r)
eax=00000000 ebx=0019e5cc ecx=0019e580 edx=1ffffcb1 esi=0019e588 edi=0019ffdc
eip=0063d663 esp=0019dd50 ebp=0019dd54 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
UltraISO!PerfgrapFinalize+0xa0e83:
0063d663 894724 mov dword ptr [edi+24h],eax ds:002b:001a0000=78746341
FAULTING_THREAD: 0000000000001ac8
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
PROCESS_NAME: UltraISO.exe
ADDITIONAL_DEBUG_TEXT:
You can run '.symfix; .reload' to try to fix the symbol path and load symbols.
MODULE_NAME: UltraISO
FAULTING_MODULE: 00000000772f0000 KERNEL32
DEBUG_FLR_IMAGE_TIMESTAMP: 7073415b
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 00000000001a0000
WRITE_ADDRESS: 00000000001a0000
FOLLOWUP_IP:
UltraISO!PerfgrapFinalize+a0e83
0063d663 894724 mov dword ptr [edi+24h],eax
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
APP: ultraiso.exe
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre
PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 000000000063da1d to 000000000063d663
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0019dd54 0063da1d 0019e5cc 00000000 ffffffb8 UltraISO!PerfgrapFinalize+0xa0e83
0019dd74 00455fa4 0019e588 03add23a fffffffc UltraISO!PerfgrapFinalize+0xa123d
0019e698 00000000 00000000 00000000 00000000 UltraISO!UfrmaboutFinalize+0xf2f0
STACK_COMMAND: .cxr 0x0 ; kb
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: ultraiso!PerfgrapFinalize+a0e83
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: UltraISO.exe
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000005_UltraISO.exe!PerfgrapFinalize
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:wrong_symbols_c0000005_ultraiso.exe!perfgrapfinalize
FAILURE_ID_HASH: {8525b873-cc2c-e428-e6fe-9d607d830bb5}
Followup: MachineOwner
---------
2017-05-24 - Vendor Disclosure
2017-08-01 - Public Release
Discovered by Piotr Bania of Cisco Talos.